Inside iOS 5: privacy change kills app developers' access to UDID

One of the new features of Apple's upcoming iOS 5 is the removal of a feature many app developers, particularly ad networks, regularly access to track use of their apps by mobile customers.

According to a report by Tech Crunch The upcoming release of iOS 5 will deprecate developers' app access to "uniqueIdentifier," the universally unique serial number embedded in each iPhone and iPad sold.

This UDID works like a networked computer's MAC address, serving as a unique hardware identifier that remains the same regardless of the user or app currently running. A security review last year showed that 68% of top iPhone apps transmit unencrypted UDIDs that can be used to track user behaviors unique to a device, while another 18 percent transmit encrypted data that may include the UDID.

The change should effectively end a controversial privacy issue that relates to how third party developers and ad networks track users, without their knowledge, consent, or in some cases without any ability to block such data collection.

This summer, Apple was sued by a man in New York over iPhone location data tracking issue, with Apples inability to provide a method to delete or restrict access to a devices UDID being one of the main points of the lawsuit.

The UDID

Every mobile device has a unique serial number that identifies it to the mobile network. For iOS devices, this number is accessible by users from iTunes or through the Settings app on the device itself.

Developers can distribute a custom app provisioned for use on specific phones identified by their UDID, and also register this number with Apple to verify the installation of beta versions of iOS.

Third party apps can currently read users' UDID after being installed on the device, allowing the app to record what device is using it without the user needing to login with a uniquely identifying account number. Third party ad networks access this number to track the use of mobile devices, similar to how web browser cookies can store information unique to a given user.

Unlike cookies however, a device's UDID can be read by any app, allowing ad networks to coordinate their data across apps with a globally unique serial number that doesn't change and can't be deleted.

Use cookies, accounts, iCloud, GameCenter instead

By removing app access to this number, Apple will pinch off the ability of third party ad networks to track users' behaviors across the various apps they are installed within. Apple recommends that developers "create a unique identifier specific to your app" instead, a process that would work much more like web cookies.

By forcing each app to maintain its own per-user tracking cooking, iOS 5 will prevent analytics firms from being able to effectively track users unique to a device, or to cross-reference behavioral data collected from multiple apps.

It will also make it impossible for developers to track whether a user has stopped using their app and then started up again, unless the user voluntarily opts to log in with an identifiable account. Thus, simply deleting and reinstalling the app will clear any unique tracking numbers a developer or ad network has on record, allowing users to erase their tracks in the mobile world just as they can by deleting browser cookies.

The change will occur alongside the appearance of iCloud, which will allow apps that the user approves to share a unique key across devices using iCloud's new Documents and Data feature. For example, a developer can use iCloud to customize the appearance or state of their app across the users' devices by sharing key value data in the cloud.

Apple's GameCenter also allows third party apps to associate state within a game with a specific user when that user chooses to login via their Apple ID. This allows a user to move between devices while retaining the same scores and achievements on a user account level.

Developers have noted that the inability to track users by a hardware address could complicate beta testing and make it harder to ban abusive users from a service, unless the developer resorts to using a personal account system. Apple has warned developers that they should not rely on the UDID for device level tracking of their users.

Apple is scheduled to launch iOS 5 to the public this fall. The company just released iOS 5 Beta 6, build 9A5302b, to developers.